From e0ce3ef71d5f76d1a5a1ecb12721f2484f10b16a Mon Sep 17 00:00:00 2001 From: Hao Liu <44379968+TheRealHaoLiu@users.noreply.github.com> Date: Tue, 17 Feb 2026 17:25:36 -0500 Subject: [PATCH] [AAP-64061] Add nginx log markers for direct API access detection (#2100) Add map directives for X-Trusted-Proxy and X-DAB-JW-TOKEN headers to log the presence of these headers as trusted_proxy_present and dab_jwt_present fields in the nginx access log. These markers enable the detection tool (aap-detect-direct-component-access) to identify direct API access that bypasses AAP Gateway. Also add explicit error_log /dev/stderr warn; instead of relying on container base image symlinks. Part of ANSTRAT-1840: Remove direct API access to platform components. Co-authored-by: Claude Opus 4.6 (1M context) --- .../installer/templates/configmaps/config.yaml.j2 | 14 +++++++++++++- 1 file changed, 13 insertions(+), 1 deletion(-) diff --git a/roles/installer/templates/configmaps/config.yaml.j2 b/roles/installer/templates/configmaps/config.yaml.j2 index 8ae095bf..b83fcce8 100644 --- a/roles/installer/templates/configmaps/config.yaml.j2 +++ b/roles/installer/templates/configmaps/config.yaml.j2 @@ -111,11 +111,23 @@ data: server_tokens off; client_max_body_size {{ nginx_client_max_body_size }}M; + map $http_x_trusted_proxy $trusted_proxy_present { + default "trusted-proxy"; + "" "-"; + } + + map $http_x_dab_jw_token $dab_jwt_present { + default "dab-jwt"; + "" "-"; + } + log_format main '$remote_addr - $remote_user [$time_local] "$request" ' '$status $body_bytes_sent "$http_referer" ' - '"$http_user_agent" "$http_x_forwarded_for"'; + '"$http_user_agent" "$http_x_forwarded_for" ' + '$trusted_proxy_present $dab_jwt_present'; access_log /dev/stdout main; + error_log /dev/stderr warn; map $http_upgrade $connection_upgrade { default upgrade;